CISA Orders 3-Day Patching for Critical Vulnerabilities

The Cybersecurity and Infrastructure Security Agency has issued a binding operational directive requiring federal agencies to patch their most critical vulnerabilities within three days, a significant acceleration from the typical two-to-three-week timeline that has governed federal cybersecurity practices.

The directive, released Wednesday, establishes a risk-based framework that sorts vulnerabilities into categories based on four criteria: whether the vulnerable software is internet-facing, whether it appears in CISA's Known Exploited Vulnerabilities catalog, whether it can be exploited through automated means, and whether successful exploitation would grant an attacker partial or total system control.

Vulnerabilities meeting at least three of these criteria trigger the three-day patching requirement. According to Federal News Network, which first reported the details, CISA's analysis of one unnamed civilian agency found that only 1% of vulnerabilities would fall into this urgent category, while more than 60% could be deferred to routine system updates.

Why it matters

The directive represents the federal government's first major policy response to AI-enabled cyber threats. As machine learning models become capable of identifying and exploiting software flaws at machine speed, the traditional patching cadence leaves agencies exposed during the window between vulnerability disclosure and remediation. The three-day deadline aims to close that window for the vulnerabilities most likely to be weaponized by AI-driven attacks.

Responding to AI-driven threats

Chris Butera, CISA's acting executive assistant director for cybersecurity, framed the new approach as "patching smarter, not harder." The directive emerged from an AI security executive order signed by President Donald Trump last week, making it one of the administration's first concrete cybersecurity outputs.

Butera told reporters that CISA chose the three-day window deliberately, balancing urgency against operational feasibility. "We do believe that agencies should be able to meet the three-day deadline," he said. "That is why we didn't choose, for example, a 24-hour deadline."

Agencies have 180 days to implement the new processes.

Implementation questions

Tod Beardsley, CISA's former KEV section chief, acknowledged the directive brings needed clarity to vulnerability prioritization but expressed skepticism about execution. "I remain dubious that a three-day deadline spread across more than a hundred agencies is an achievable patch cadence today," Beardsley wrote on LinkedIn.

While the directive only binds federal agencies, CISA is encouraging critical infrastructure operators and state and local governments to adopt similar practices.

Critical infrastructure legislation

Separately on Wednesday, Senator Mark Warner introduced legislation requiring CISA to update the 16 sector risk management plans within nine months, with mandatory updates every two years thereafter. Warner's office noted some sector plans haven't been refreshed in a decade.

"As AI continues to rapidly evolve, we must ensure our cybersecurity defenses keep up with the threats of the moment," Warner said in a statement.

The details were first reported by Federal News Network.